WaterMiner Monero Miner Is the Newest Cryptocurrency Malware

The dangerous trend of creating new ways to infect client computers has led to the development of WaterMiner ‒ an evasive malware Monero miner. A detailed security reveals how this malicious software takes advantage of weak security and takes advantage on thousands of computers online to generate income in the Monero digital currency.

The WaterMiner Monero Miner Revealed

Security researchers discovered a new malware which is being actively distributed on the Internet on a global scale. Its name is designated as the WaterMiner Monero Miner, from its name computer uses can guess that it is designated to “mine” the Monero cryptocurrency using the available resources of the compromised machines. Reports indicate that this type of computer threats are becoming very popular and may very well turn into a separate category soon as they develop further.

The malware was detected in malicious campaign that distributes the virus using modified gaming “mods” which are frequently used by computer games to cheat games or modify their characters with unusual statistics. The victim site which started the WaterMiner infections. The onset of attacks associated with the threat was due to a mod for the popular Grand Theft Auto video games issued posted on a Russian-speaking forum called “Arbuz” which translates to “watermelon” in Russian.

The hackers distributed it via different profiles which makes it impossible to discover the first original source. One of the most important reasons why the WaterMiner Monero miner is so successful is because the virus files were reported clean by a Virus Total scan. It is possible that the criminals spoofed the scans to confuse the targets into infecting themselves. The malicious mod that hosts the WaterMiner Monero miner is hosted on Yandex.Disk, one of the popular Russian file sharing services in a RAR archive file.

Capabilities of the WaterMiner Monero Miner

Once the victims download the WaterMiner Monero miner software in its archived form when the RAR file is unpacked several files are revealed. Among them is an executable file called “pawncc.exe” which is a script which leads to the WaterMiner Monero infection. When it is executed a sequence of commands are run which download the malware from a remote server. The researchers note that the following order is followed:

Initial System Check ‒When the victims run the application for the first time it verifies whether the machine is not already infected with the WaterMiner software. If it has not been found an infection marker is created in the Windows registry at “HKLM\Software\IntelPlatform” with a value of “Ld566xsMp01a” set to “Nothing”.

Initial Infection ‒ The malware is downloaded from a remote hacker-controlled site which hosts the virus file. The identified files are being hosted on a shared Google Drive profile. When the file is downloaded the infection marker is renamed to “loaded” and the miner is run on the compromised computer.

WaterMiner Execution ‒ The malicious process is run under the name “Intel (R) Security Assistent.exe”, but will not proceed if the market set is not specified as “loaded”. This means that a simple killswitch can be created which disables the Windows Registry modification mechanism.

During the the investigation the researchers discovered several unique indicators in the way the virus is created. It allowed them to trace the source code of an earlier version posted on a Pastebin instance. The author comments found there showcase that the WaterMiner malware is intentionally made to infect target systems and use their resources to mine the Monero cryptocurrency and generate income for the operators.

Further Investigation Into The WaterMiner Monero Miner

The discovered source code has led to a detailed analysis of the intended end results. The comments are written in Russian and (luckily) they led to some interesting insights on the way the WaterMiner is run.

When the instance is executed and started on the client computers a total of 11 mine files are loaded into a temporary folder. A persistent installation is then achieved using a combination of different system settings modifications. This effectively makes manual removal impossible as the malware is able to constantly track the actions of the user or anti-virus programs. To remove such infections the victims should utilize a quality anti-spyware solution. The WaterMiner Monero miner is intended to be downloaded only once to hide itself from pattern recognition analysis and other security measures.

In addition the security experts were able to follow the code to the TO-DO section which lists future possible updates to the core engine. The hackers behind the Monero miner intend to bundle a backup module into the malware. This will allow the program to automatically secure itself against partial removal, unauthorized access or modification. Another future update can bring an improved persistence mechanism by using the Task Scheduler.

The showcased example is a prior instance of the WaterMiner Monero malware which features a similar infection tactic to the contemporary version, namely in the way that the process is saved to a temporary file called “Intel(R) Security Assistent.exe”. It is installed as a persistent infection via a set registry value disguised as a “Oracle Corporation” application.

WaterMiner Monero Miner Operations

The WaterMiner Monero miner connects to a predefined pool by having specific instructions in its configuration file. A mining pool is a centralized node which takes a Monero blockchain block and distributes it to the connected peers for processing. When a set number of shares are returned and verified by the pool a reward in the form of Monero cryptocurrency is wired to the designated wallet address. In the case of the malicious instance this is the address operated by the criminals.

The captured strains were found to connect to Minergate which is one of the most popular options that users consider. Previous reports that this is one of the pools that are widely used by botnets and hacked computers. The actual WaterMiner Monero miner software is a modified verson of the widely-used open-source XMRig software.

By itself this is not a malware however its installation without user consent is identified as a major security risk. Older versions of the WaterMiner virus have been found to use another miner called Nice Hash. The switch to XMRig is probably because the older software requires a dozen of different files to run properly on the compromised machines.

The miners themselves rely on the available system resources to carry out complex computations using the processor or the graphic cards. One of the most obvious signs of infection is serious performance degradation. Some of the captured samples defend against investigation into the possible reasons by continuously searching the system for an open window that is named after one of the following names or contains a related string: Windows Task Manager, Task Manager, Anti-virus, Process Hacker. The built-in commands showcase that the strings are entered in both Russian and English.

If any of the above mentioned applications are detected they are either shut down or the mining process is halted. This is a stealth protection feature which attempts to mask the infection presence from the victims.

Who Is Behind the WaterMiner Monero Miner

One of the interesting aspects related to the WaterMiiner malware is its creators. The security researchers attempted to identify the hacker or criminal collective behind the virus. The investigation started with the tracking of the posts and activities of the forum profiles that distributed the infected GTA game mods. The person (or people) behind the account called “Martin Opc0d3r” were cross-referenced with other Internet boards. The reports showcase that at the moment the distribution is tied only to the gaming community found at this site.

One of the WaterMiner samples included hardcoded addresses which host the virus instances on almost identical URLS hosted on Russian web servers. It is possible that they are generated automatically by a script or an automated program. Additional samples were found on multiple domains following a shared algorithm.

Some of the links identified by the researchers are no longer accessible. During the investigations the experts note that similar strains have been found. It is probable that they are customized versions of the WaterMiner Monero miner. A Pastebin code snippet associated with the hacker profile suggests that some of the archives that bear the same or similar name are actual Trojan instances and not the malware miner itself.

As the investigation continued further by analyzing the behavior, frequency of posts, links and other activity of the profile associated with the attackers, the researchers note that the cybercriminal is experienced at using different sites and networks. However one of the profiles on the Russian social network VK a different identity called Anton has been used.

During a discussion with another user the man under the name of Anton admitted to be the man behind the malicious identity. When the information was cross-referenced by the investigators they were able to partially confirm that this person is the hacker responsible for the Monero miner.

Active infections of the WaterMiner Monero miner can be removed using a quality anti-spyware solution. Found instances can be efficiently removed by only a few mouse clicks.